Data Processing Addendum

This DATA PROCESSING ADDENDUM 

concluded in accordance with Article 28(3) of Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") 

(the "Addendum")

BETWEEN:

Client ordering and using the Services as provided by the Provider upon accepting the Terms on the Site 

(the "Controller"),

and

ErlaServers s.r.o., having the seat at Veľký diel 3323/1, Žilina 010 08, Slovakia, ID number (IČO): 54 385 504, registered with the Commercial Registry of District Court Žilina, Section: Sro, File No.: 81219/L, email:  info@seenode.com 

(the "Processor")

(The Controller and the Processor hereinafter jointly as the “Parties” and individually as the “Party”.)

‍

THE PARTIES HAVE AGREED AS FOLLOWS:

1. Object and Purpose of the Addendum
   1. The Parties have agreed on the wording of the Terms, the subject of which is the provision of Services as defined by the Terms by the Processor to the Controller. For the purpose of this Addendum, the Terms of the Processor and/or the purchase order issued by the Controller and/or any other commercial form of cooperation arrangement between the Controller and the Processor under which the Processor provides the Services to the Controller shall also be deemed to be the Main Agreement (jointly as the “Main Agreement”).
   2. Terms beginning with capitals and used in this Addendum that are not defined in this Addendum shall have the meanings as set forth in the Processor’s Terms available on the Processor’s website.
   3. When providing the Services, the Processor processes personal data on behalf of the Controller, and the Parties intend by this Addendum to ensure that such processing of personal data by the Processor complies with the GDPR and other applicable data protection legislation. Thus this Addendum forms an integral part of the Terms and regulates how the Processor processes personal data on behalf of the Controller for the purpose of Service provisioning. By accepting the Terms, the Controller accepts and agrees to be bound by this Addendum.
   4. The Controller, within the meaning of Article 4 of the GDPR and Section 5 of the Personal Data Protection Act, determines by this Addendum the purposes and gives instructions for the processing of personal data that the Processor will process on Controller’s behalf and according to Controller’s instructions.
   5. The Controller also declares that it has complied with Article 28(1) of the GDPR and the Processor provides sufficient guarantees that appropriate technical and organizational measures will be used to ensure that the processing of personal data complies with the legal requirements and that an adequate protection of the rights of data subjects is ensured.
   6. The subject matter and duration of the processing, the nature and purpose of the processing, the method of processing, the categories of data subjects and the scope of the personal data to be processed by the Processor on behalf of the Controller pursuant to this Addendum are set out in Annex 1 herein.
2. Definitions
   1. Terms used in this Addendum shall have the following meanings:
      1. Personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
      2. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      3. Additional processor is any third party that is entrusted by the Processor to process the Controller's personal data;
      4. Data subject is an identified or identifiable natural person whose personal data is being processed;
      5. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
      6. Applicable data protection legislation within the meaning of this Agreement means Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation);
      7. The Standard Contractual Clauses are the contractual document on the basis of which the transfer of personal data to third countries takes place in accordance with Commission Implementing Decision (EU) 2021/915 of  June 4, 2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (Text with EEA relevance)
      8. Third countries are countries that are not a member state of the European Union or are not a party to The European Economic Area Agreement.
3. Rights and Obligations of the Parties
   1. Rights and Obligations of the Controller
      1. It is the Controller's obligation to ensure that the personal data of the data subjects being processed are obtained on the basis of a valid legal basis that enables the Controller to process such personal data and to authorize the Processor to process such personal data based on this Addendum.
      2. The Controller is obliged to inform respective data subjects about the processing of their personal data in connection with the provision of the Services and to provide such data subjects with all information required pursuant to Articles 12 and 13 of the GDPR.
      3. The Controller is obliged to instruct the Processor to process personal data mainly, but not exclusively, through this Addendum and the Terms. If necessary, any instructions other than those contained in this Addendum may be given by the Controller to the Processor electronically in written form, including via the Platform.
      4. The Controller may require the Processor to demonstrate compliance with its legal obligations under the applicable data protection legislation and under this Addendum.
      5. The Controller is entitled to carry out a data protection audit of the Processor once per year. During the audit the Controller may request only necessary information relating to the processing of personal data under this Addendum. The Controller shall give the Processor at least 30 days' prior written notice of the planned audit. The audit shall be conducted by an independent third-party auditor reasonably acceptable to the Processor. The Controller shall reimburse the Processor for all costs incurred to the Processor in connection with the performance of the audit. When conducting an audit, the Controller shall comply with the Processor's security and organizational instructions so as not to disrupt or restrict the Processor's operations. Upon request of the Processor, Controller shall enter into the non-disclosure agreement with the Processor for the purpose of the audit. The Controller shall promptly provide the Processor with information regarding any noncompliance discovered during the course of an audit.
   2.  Rights and Obligations of the Processor
      1. The Processor shall take reasonable measures necessary to comply with the legal requirements under the applicable data protection legislation and to ensure the protection of the rights of data subjects and shall, in particular but not exclusively, take appropriate technical and organizational measures and process personal data in accordance with the Controller's instructions and the provisions of this Addendum.
      2. The Processor is obliged to process personal data in accordance with the instructions of the Controller to the extent, under the conditions and for the purpose set out by the Controller in this Addendum. The Processor shall confirm the receipt of other instructions from the Controller according to clause 3.2.3 herein to the Controller electronically in writing. The Processor shall notify the Controller without delay and before commencing the processing of personal data if the Processor is required to process personal data to comply with a legal obligation outside the scope of the Controller's instructions and such notification is not contrary to the law or public interest.
      3. The Processor is obliged to inform the Controller without delay if the Processor considers the Controller's instructions to be contrary to the applicable data protection legislation or if compliance with such instructions cannot ensure adequate protection of personal data of data subjects.
      4. When processing personal data, the Processor is obliged to act in accordance with the applicable data protection legislation.
      5. The Processor is responsible for the security of the processing of personal data in accordance with Article 32 of the GDPR and for compliance with the appropriate technical and organizational measures according to Annex 3 of this Addendum.
      6. The Processor is obliged to ensure that only authorized persons have access to the personal data and that they are bound by the confidentiality duty and/or secrecy, which will last at least 2 years after the processing of the personal data has been completed. The Processor also declares that the authorized persons have been informed of their rights and obligations in the processing of personal data arising from the applicable data protection legislation and from this Addendum.
      7. The Processor is obliged to notify the Controller of any personal data breach incurred to personal data processed under this Addendum within 72 hours upon becoming aware of personal data breach. This notification must include the information required under the applicable data protection legislation, if the information is available to the Processor at the time of the notification.
      8. The Controller agrees that Processors’ obligation to notify the personal data breach is not and will not be construed as an acknowledgment by the Processor of any fault or liability of the Processor with respect to such personal data breach.
      9. The Processor shall be obliged to delete or return to the Controller any personal data, or any copies thereof, which have been provided to the Processor for the purposes this Addendum within 30 days after the termination of the provision of the Services under the Main Agreement or after the expiry of the necessary time period for their processing specified in Annex 1 to this Addendum.
      10. If the data subject addresses the Processor with their request concerning their rights relating to the processing of personal data under this Addendum, the Processor shall refer the data subject to the Controller and shall inform the Controller of the request without undue delay. The Processor shall provide the Controller with assistance in processing the data subject's request in accordance with Article 28 (3) (e) of the GDPR to the extent that the data subject's request cannot be handled by the Controller independently using the information already known to the Controller in the context of the provision of the Services under the Main Agreement and/or available on the Site.
      11. The Processor commits to follow the procedure set out in Article 4 of this Addendum when entrusting any third party with the processing of personal data.
      12. The Processor commits to provide the Controller reasonable cooperation necessary to ensure the fulfillment of obligations under Article 32 and Article 36 of the GDPR. 
      13. The Controller acknowledges that the Processor is entitled to use personal data for its own purposes, mainly for the development of its services, to process feedback given by the Controller or User regarding the Services or other aspects of the cooperation under the Main Agreement, and to perform analytics concerning the usage of its services as an independent data controller. Whenever possible, the Processor will process only anonymized or otherwise de-identified personal data for these purposes. When processing personal data for its own purposes, the Processor shall fulfill the obligations imposed on a data controller by the applicable data protection legislation. 
4. Additional Processors
   1. The Controller hereby authorizes the Processor to entrust additional processors with the processing of personal data according to this Addendum.
   2. The processor shall inform the Controller about the engagement of additional processors within 10 days via the Platform or via email sent to the Controller’s email used in the Registration Form.
   3. The Controller shall have the right to object to the assignment of the additional processor within 10 days from the date of receipt of the information on the engagement of the additional processor. If the Controller does not exercise this right within the stipulated period, the Parties acknowledge that the Controller agrees to the engagement of the additional processor. The Controller also undertakes to exercise its right to object only in justified cases. The Controller acknowledges that the exercise of the right to object to the entrustment of another processor may result in the impossibility of processing personal data pursuant to this Addendum and, therefore, the impossibility of providing the Services. In the event that the Controller exercises the right to object to the engagement of an additional processor and, as a result of such action, the Processor is unable to provide the Services to the Controller, the Controller will not have right to any claims against the Processor in respect of such inability to provide the Services other than those expressly granted to the Controller in the Main Agreement. In particular, the Controller will not be entitled to any additional compensation or a refund of the fees for the Services already paid for.
   4. The Processor shall ensure that the additional processor to whom an authorization has been granted in accordance with the clauses above, is bound by the similar obligations regarding the protection of personal data as the Processor has undertaken under this Addendum.
   5. Processor shall be liable for the acts and omissions of its additional processors to the same extent the Processor would be liable if performing the services of each additional processor directly under the terms of this Addendum except as otherwise set forth in the Main Agreement.
   6. At the time of conclusion of this Addendum, the Processor has entrusted the processing of personal data under this Addendum to the additional processors listed in Annex 2 of this Addendum, to which the Controller agrees.
5. Transfer of Personal Data to Third Countries
   1. The Processor is entitled to transfer personal data processed under this Addendum to third countries only if it ensures that the level of protection of personal data after such transfer corresponds to the level of protection under this Addendum and the applicable data protection legislation. The Processor shall ensure that adequate security and protection measures are complied with in accordance with this Addendum and the applicable data protection legislation and that the rights of data subjects are not compromised and shall enter into standard contractual clauses for the purposes of such transfer in the relevant wording.
   2. If the Controller is located outside of the EU, the Parties agree to conclude standard contractual clauses in the applicable wording to ensure the legality of transfer of personal data and compliance of the Parties with applicable data protection legislation.
6. Liability for Damages
   1. Controller’s remedies, including those of its affiliates, and Processor’ liability, arising out of or related to this Addendum will be subject to those limitations of liability and disclaimers as set forth under the Main Agreement or if there are no limitations of liability stipulated in the Main Agreement, the Parties agree and declare that the total damage which may arise out of the breach of this Addendum shall not exceed five thousand euro.
7. Duration and Termination of the Addendum
   1. This Addendum shall be valid and effective from the date of its signing by the Parties and shall terminate on the date of termination of the Main Agreement. If necessary, this Addendum shall remain in force after the termination of the Main Agreement for the necessary period of further processing of personal data required for the termination of the Main Agreement and afterwards in compliance with applicable laws.
   2. Processor may terminate this Addendum if Processor offers alternative mechanisms to the Controller that comply with the obligations of the applicable data protection laws.
   3. The Controller shall be entitled to terminate this Addendum without giving any reason in line with the conditions stipulated for the termination of the Main Agreement. The Controller acknowledges that the termination of this Addendum means inability to provide the Services by the Processor under the terms of the Main Agreement. The Processor shall not bear liability for the damages incurred to the Controller by such termination.
8. Contact Persons
   1. The Parties have stipulated that the following contact points shall be used for matters arising out of this Addendum:
      • contact details of the Controller as used in the Registration Form, unless Controller informs the Processor about different contact details;
      • contact details of the Controller as used in the Registration Form, unless Controller informs the Processor about different contact details;
9. Final Provisions
   1. If any contract, other binding document or agreement entered into between the Parties contains provisions relating to the protection of personal data in the processing of personal data in the provision of the Services, on the effective date of this Addendum, such provisions shall cease to be valid and effective and the processing of personal data between the Controller and the Processor shall be governed solely by the provisions of this Addendum.
   2. Nothing in this Addendum amends the Governing Law and Jurisdiction section of the Terms, which shall, for the avoidance of doubt, govern all claims brought under the Terms and this Addendum.
   3. The following annexes are an integral part of this Addendum:
      Annex 1: Specification of data processing
      Annex 2: Agreed additional processor(s)
      Annex 3: Technical and organizational measures
   4. This Addendum may be amended only by agreement of the Parties in the form of written amendments to the Addendum.
   5. The Parties declare that their legal capacity and freedom to enter into this Addendum, as well as their capacity to perform related legal acts is not limited or excluded by anything and that they have read this Addendum, understand its contents and that they conclude this Addendum freely and seriously, that it has not been concluded under unfavorable terms or under duress. 

 This Addendum shall become effective as of (...).

In (...), on (...).

‍Annex 1

Specification of data processing

1. Subject and purpose of the processing of personal data:
   Personal data will be processed by the Processor on the Platform for the purpose of providing the Services to the Controller in accordance with the terms of the Main Agreement.
2.  Method of processing personal data:
   Personal data will be processed by the Processor through various electronic means (i) as part of the Controller’s Feedback and Controller’s Content on the Platform (ii) when performing processing operations on the Platform necessary to fulfill the purpose of the cooperation of the Parties and to deliver the Services to the Controller.
3. Period of processing of personal data:
   The Personal Data will be processed for the duration of the Parties' cooperation under the Main Agreement and in accordance with the time period determined pursuant to section 7 of this Addendum.
4. Categories of Data Subjects:
   Due to the nature of the Services, the categories of data subject shall be determined by the Controller and may include e.g. employees, customers, business partners, third parties, representatives of the Controller, etc.
5. Scope of processed personal data of data subjects:
   Due to the nature of the Services, the scope of processed personal data may be determined solely by the Controller, who decided to use the Platform of the Processor.
6. The scope of processed special categories of personal data of data subjects:
   Due to the nature of the Services, processing of special categories of personal data cannot be excluded. The Controller is solely responsible to determine if special categories of personal data will be processed.

Annex 2

Agreed additional processors entrusted by the Processor

For the purpose of this Addendum, the Parties confirm and agree that the Processor can use the additional processors as listed in the Processor’s Privacy Policy.

‍

Annex 3

Technical and organizational measures to ensure the security of personal data

The Processor undertakes to comply with the following technical and organizational measures when processing personal data under this Addendum. List of these technical and organizational measures is available here.

‍